malwarewikiaorg-20200223-history
Buffy
Buffy is an IRC worm coded by Gigabyte on Microsoft Windows. It is also sometimes dropped from a Word Macro, also named Buffy. The worm contains several references to the popular television series "Buffy The Vampire Slayer". Buffy arrives through IRC as a file named BTVS.EXE. It is also sometimes dropped from an MS Word Macro worm. When executed, the virus copies itself to the root of the C: drive. It creates a file in the Windows folder named start.vbs. Payload When the worm is executed, this file will display the following message: No one asks for their life to change, not really. But it does. So what, are we helpless? Puppets? No. The big moments are gonna come. You can't help that. It also drops a file in the root of the drive named AUTOEXEC.BAT. This file will display the message when executed: Buffy The Vampire Slayer 2000 (Buffy2k) Written by Gigabyte Buffy leaves a file in the Windows folder named winstart.bat that displays the following text when run: We like to talk big. Vampires do. 'I'm going to destroy the world.' That's just tough guy talk. Strutting around with your friends over a pint of blood. The truth is, I like this world. You've got... dog racing, Manchester United. And you've got people. Billions of people walking around like Happy Meals with legs. It's all right here. But then someone comes along with a vision. With a real... passion for destruction. Angel could pull it off. Goodbye, Picadilly. Farewell, Leicester Bloody Square. You know what I'm saying? It also creates a file named script.ini, located in C:\mirc\, which sends the worm under the name BTVS.EXE. The file also gives crackers control of the mIRC client. It joins the channel #virus and sends the message: "In every generation there is a chosen one...She alone will stand against the vampires, the demons, and the forces of darkness...She is the slayer...". It then leaves the channel and joins #gigavirii. Here it sends the message We killed a homeless man on this bench. Me and Dru. Those were good times. You know, he begged for mercy, and you know, that only made her bite harder." The Buffy macro There is a Word macro that can spread this worm. It does not spread itself as a macro or infect other Word files. When executed, the macro checks for the existence of the registry key "VAMPIR3". If it does not find it, it creates the file "BUFFY_GAME2K.EXE" (a copy of the worm) in the Windows folder. It sends an email containing the worm to up to 58 recipients in the Outlook contact list, then creates the key to make sure it does not infect twice from the same computer. The attachment will be the BUFFY_GAME2K.EXE file. The subject is "HI! HAPPYNEWYEAR FROM " & ". The text body is: I'VE FOUND A VERY FUNNY GAME, THE THEME IS BUFFY, REALLY CUTE! SAY TO ME IF YOU LOVE IT :) Other Facts There is one other self-replicators named Buffy, the Buffy DOS virus. Sources McAfee Antivirus, Virus Profile: Buffy.worm.a. 2000.04.12 Trend Micro, W97M_BUFFER.A. 2000.11.06 Category:Virus Category:IRC worm Category:BAT Category:Win32 Category:Win32 worm Category:Win32 virus Category:Worm Category:Macro Category:Microsoft Windows